Follow by Email

Get Social with Cyberis

Thursday, 14 February 2013

Finding Hidden Vhosts

A web server with no hidden vhosts

During a recent test we observed a number of web servers that had a number vhosts configured, only some of which were discoverable from public DNS records. Internal DNS servers were configured to resolve the remaining ‘hidden’ vhosts served by the web server.

Unfortunately, the hosts were not configured to disallow access to non-internal addresses, meaning the only thing restricting access to the ‘hidden’ vhosts was the lack of DNS resolution. To quickly enumerate configured vhosts, I wrote a small Perl script that takes two arguments - a file containing a list of IP addresses (targets), and a file containing a list of hostnames. Optionally, you can also pass an option specifying a domain name to append, allowing you to have your hosts file contain just common entries that can be used against any target.

The script will show the differing responses between requests, and the length of each, allowing you to quickly identify vhosts of interest, regardless of whether there is an associated DNS entry. If you find something, just be sure to create a static host entry before viewing in a browser!

Any feedback, improvements or comments, please use the comments field below.

We had a client that had several vhosts configured that were intended for internal use only (e.g. wiki.internal) - as such only the internal DNS server resolved these hosts. Brute forcing the external DNS server would not have identified the hidden hosts.